What the good guys are up against: a roundup of popular attack vectors

To help the defenders know what they’re up against, here are some of the attack vectors that have been frequently used in recent months

cyber security
Vishnu_KV (CC0)

Defenders face creative adversaries who are constantly evolving their attack arsenal. To help the good guys know what they’re up against, here are some of the attack vectors that have been frequently used in recent months. Some of these vectors – like fileless malware attacks and ransomware – are likely well-known to security professionals. But this doesn’t make them any less dangerous. Attackers are continuing to use them since they’ve proven effective in campaigns.

Memory-resident malware

This malware loads its own program into permanent memory. Memory-resident malware is also known as an ephemeral infection. Actors are increasingly coupling fileless intrusions with memory-resident malware as a way to evade traditional detection capabilities. The decision not to write to disk carries inherent risk of losing access to machines that have been rebooted. But some advanced threat actors have leveraged the constant network connectivity of most corporate networks to maintain persistence through covert communication channels and scanning of the internal network to re-infect machines that were shutdown or rebooted.

This tactic, while not new, is increasingly used because a significant number of incident response plans and forensic investigations do not include memory dumps in their standard operating procedures, which means that even if the infection is detected the forensic evidence is often destroyed by the team investigating the intrusion.

Fileless malware

This technique leverage an OS’ built-in tools and capabilities to execute malicious activity. The most common instances of this technique is the abuse of Microsoft’s WMI and Powershell. This technique is incredibly powerful for threat actors because it reduces the network footprint since additional tools or capabilities aren’t needed for the operation.

The prevalence of this technique has increased dramatically as penetration testing tools such as Cobalt Strike and Metasploit have included Powershell modules. The point-and-click nature of this capability coupled with the smaller malicious footprint on the end user has led to the rapid expansion and adoption of this style of attack from both APT and cyber-criminal threat actors.


This threat is not new and has particularly impacted the health-care industry and government agencies. Although, as the recent WannaCry attach proved, every organization is vulnerable. However, the constant adaptation of this capability merits additional focus. As new methods to defray the impact of a ransomware attack are invented, whether it is traditional hashing or increased data retention/off site storage. The ransomware industry has responded with new capabilities such as polymorphic strains that defeat traditional antivirus protections or hijack cloud service utilities to capture backed up data.

A particularly concerning subset of ransomware is labeled as doxware. It acts in a similar fashion to ransomware but it takes the attack further by compromising the confidentiality of the information in addition to the accessibility. If a compromised company does not pay up, the attacker will leak the information online. The potential for this type of attack to expose sensitive information, such as health-care records, is significantly more damaging than in other industries.

Social media for command and control

The explosion of social media applications in the workplace has led to a rise in the use of these platforms for command and control of malicious activity within compromised networks. The applications used and the method varies both by actor and by victim network but the overall trend is to leverage these capabilities to hide malicious activity. The ability to post and consume commands to and from a Twitter account is fairly trivial but is horrifically difficult for someone auditing network logs to catch.

The communication channel itself is often considered benign and as long as there is some level of randomization to the activity it should blend in as a normal user checking the news or wasting some time while at work. Hackers have increasingly honed their tool kit to make it blend in with the network noise and will continue to exploit these common websites and services to hide their activity.

Cloud storage as an exfiltration method

Threat actors are increasingly using cloud storage providers to exfiltrate larges amount of data undetected. Once actors have a foothold they will often scan to see what cloud provider is being used and then leverage that trusted relationship to exfiltrate desired information. By using the same service they can often hijack existing processes and network communications to exfiltrate their data to the same provider and just fork it off to another account.

The truly advanced actors will attempt to figure out the average size of the file or batch of files sent from the account compromised to the cloud so they can mimic that behavior and completely blend in with the environment they are operating from. Due to the encryption surrounding the transfer of files from a host to a cloud storage provider, detecting the malicious transfers is almost impossible from the network, especially if the attacker has taken the time to customize their activity to the environment.

What’s an enterprise to do?

There’s no magic solution to keep organizations safe from these or any other threats. My philosophy is that defense will only offer a certain amount of protection. Creative and motivated adversaries will eventually find a way past whatever firewalls, antivirus programs and other security measures you implement.

Instead, anticipate and accept that the bad guys will get in. Know what’s going on on your networks and, in particular, your endpoints since they contain the data that attackers want. Develop, test and revise your incident response plan. People shouldn’t be familiarizing themselves with it in the middle of a crisis. Finally, treat an incident as an opportunity to talk about your organization’s security plan and improve it if necessary. To paraphrase Winston Chrurchill: never let a crisis go to waste.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report